UGANDA MANAGEMENT INSTITUTE [UMI]

INFORMATION AND COMMUNICATION TECHNOLOGY DEPARTMENT

'We Empower People to Excel'

Module: MANAGEMENT INFORMATION SYSTEMS
Course: DLTM (Weekend UMI)
Date: 16 October – 5 November 2011
Venue: ROOM -47 (MAIN BUILDING –NEAR THE COMPUTER LABS
Time: 08:30am – 4:30pm
Module Leader: JENNIFER ROSE ADUWO

Date/Time	08:30 – 10:30am	B	11:00am – 01:00pm	L	02:00-04:00pm
Sunday 16 October 2011	Introduction to Database Management Microsoft Access - Basic Concepts Jennifer Rose Aduwo		Creating Tables in Design View Jennifer Rose Aduwo		Creating Forms using the wizard Jennifer Rose Aduwo
Saturday 22 October 2011	Creating Queries using the wizard Jennifer Rose Aduwo	R	Creating Reports using the wizard Jennifer Rose Aduwo	U	Creating a menu screen Filtering and Sorting Jennifer Rose Aduwo
Sunday 23 October 2011	Creating a Switchboard (Menu screen) Filtering and Sorting Jennifer Rose Aduwo	E	Revision Jennifer Rose Aduwo	N	Ms –access Assessment Test Jennifer Rose Aduwo
Saturday 29 October 2011	Introduction to Information Systems Walter Okello	A	System concepts Types of information systems Walter Okello	C	Information Systems Planning and Selection Walter Okello
Sunday 30 October 2011	Systems Development and Evaluation Walter Okello		Systems Development and Evaluation Walter Okello		Implementing and Managing Systems (Hardware & Software & Data Resources) Walter Okello
Saturday 5 November 2011	Information Systems Security Management Kabugo David	K	Information Systems Security Management/Ethics and Social Issues in Information Systems Kabugo David	H	Ethics and Social Issues in Information Systems End of Module evaluation Kabugo David

Saturday 5 November 2011:

By Kabugo David
[PhD_Candidate, University of Cape Town],
[MSc.ICT University of Cape Town],
[M.Ed.ICT, Makerere University],
[PGD.ISD, U-Ghent Beligium],
[BA.Education, Makerere]

Information Security

Information Security (ISec) describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks.

The risks to these assets can be calculated by analysis of the following issues:

Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets
Vulnerabilities. How susceptible your assets are to attack
Impact. The magnitude of the potential loss or the seriousness of the event.

Information Security Management System (ISMS):
An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of ISO 27001.

The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001 therefore incorporates the typical "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:

The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
The Do phase involves implementing and operating the controls.
The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
In the Act phase, changes are made where necessary to bring the ISMS back to peak performance

Need for a ISMS

Security experts say and statistics confirm that:

information technology security administrators should expect to devote approximately one-third of their time addressing technical aspects. The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness;
security depends on people more than on technology;
employees are a far greater threat to information security than outsiders;
security is like a chain. It is as strong as its weakest link;
the degree of security depends on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay;
security is not a status or a snapshot but a running process.

These facts inevitably lead to the conclusion that:

The ISMS Framework

external image Isms_framework.jpg

Security administration is a management and NOT a purely technical issue

The establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks. Furthermore such a company will be capable of successfully addressing information confidentiality, integrity and availability requirements which in turn have implications for:

business continuity;
minimization of damages and losses;
competitive edge;
profitability and cash-flow;
respected organization image;
legal compliance

Chief objective of Information Security Management is to implement the appropriate measurements in order to eliminate or minimize the impact that various security related threats and vulnerabilities might have on an organization. In doing so, Information Security Management will enable implementing the desirable qualitative characteristics of the services offered by the organization (i.e. availability of services, preservation of data confidentiality and integrity etc.)

Large organizations or organizations such as banks and financial institutes, telecommunication operators, hospital and health institutes and public or governmental bodies have many reasons for addressing information security very seriously. Legal and regulatory requirements which aim at protecting sensitive or personal data as well as general public security requirements impel them to devote the utmost attention and priority to information security risks.

Under these circumstances the development and implementation of a separate and independent management process namely an Information Security Management System is the one and only alternative.

Definition of Security Policy,
Definition of ISMS Scope,
Risk Assessment (as part of Risk Management),
Risk Management,
Selection of Appropriate Controls and
Statement of Applicability

Critical success factors for ISMS

To be effective, the ISMS must:

have the continuous, unshakeable and visible support and commitment of the organization’s top management;
be managed centrally, based on a common strategy and policy across the entire organization;
be an integral part of the overall management of the organization related to and reflecting the organization’s approach to Risk Management, the control objectives and controls and the degree of assurance required;
have security objectives and activities be based on business objectives and requirements and led by business management;
undertake only necessary tasks and avoiding over-control and waste of valuable resources;
fully comply with the organization philosophy and mindset by providing a system that instead of preventing people from doing what they are employed to do, it will enable them to do it in control and demonstrate their fulfilled accountabilities;
be based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police” or “military” practices;
be a never ending process;